The National Institute of Standards and Technology has issued new guidance to help organizations manage risk by deciding which assets need to be protected the most.
NISTIR 8179, Criticality Analysis Process Model, sets out a structured method of prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals. It says that a criticality analysis can help organizations identify and better understand the systems, subsystems, components, and subcomponents that are most essential to their operations and the environment in which they operate. This can lead to better decision-making about information security and privacy risk management.
The model has been designed to follow the way organizations design and manage projects and systems. It can be used with a variety of risk management standards and guidelines including the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27000 family of standards and the suite of National Institute of Standards and Technology (NIST) Special Publications (SPs).
It consists of five main processes, which include adopting a set of procedures for performing a criticality analysis, analyzing and identifying key activities, reviewing and analyzing the system, and having a collaborative group analyze baseline criticality results.
NIST says that using the model can “help increase robustness and granularity of the decisions made about levels of protection afforded to systems and components during system development and acquisition life cycles.”